Fwd: SB17-177: Vulnerability Summary for the Week of June 19, 2017
RICHARD BARTH
w3hwn at comcast.net
Mon Jun 26 15:32:44 EDT 2017
-------- Original Message ----------
From: US-CERT <US-CERT at ncas.us-cert.gov>
To: w3hwn at arrl.net
Date: June 26, 2017 at 12:23 PM
Subject: SB17-177: Vulnerability Summary for the Week of June 19, 2017
[U.S. Department of Homeland Security US-CERT]
National Cyber Awareness System:
SB17-177: Vulnerability Summary for the Week of June 19, 2017 https://www.us-cert.gov/ncas/bulletins/SB17-177
06/26/2017 06:45 AM EDT
Original release date: June 26, 2017
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology http://www.nist.gov (NIST) National Vulnerability Database http://nvd.nist.gov (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security http://www.dhs.gov (DHS) National Cybersecurity and Communications Integration Center https://www.us-cert.gov/nccic (NCCIC) / United States Computer Emergency Readiness Team https://www.us-cert.gov (US-CERT). For modified or updated entries, please visit the NVD http://nvd.nist.gov , which contains historical vulnerability information.
The vulnerabilities are based on the CVE http://cve.mitre.org/ vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System http://nvd.nist.gov/cvss.cfm (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
* High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
* Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
* Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info
adobe -- captivate Adobe Captivate versions 9 and earlier have a remote code execution vulnerability in the quiz reporting feature that could be abused to read and write arbitrary files to the server. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3098&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3098 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3098
CONFIRM https://helpx.adobe.com/security/products/captivate/apsb17-19.html
adobe -- digital_editions Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF runtime engine. Successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3088&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3088 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3088
BID http://www.securityfocus.com/bid/99020
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- digital_editions Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF imaging model. Successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3089&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3089 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3089
BID http://www.securityfocus.com/bid/99020
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- digital_editions Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the bitmap representation module. Successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3093&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3093 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3093
BID http://www.securityfocus.com/bid/99020
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- digital_editions Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF processing engine. Successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3094&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3094 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3094
BID http://www.securityfocus.com/bid/99021
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- digital_editions Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the PDF parsing engine. Successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3095&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3095 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3095
BID http://www.securityfocus.com/bid/99021
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- digital_editions Adobe Digital Editions versions 4.5.4 and earlier have an exploitable memory corruption vulnerability in the character code mapping module. Successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3096&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3096 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3096
BID http://www.securityfocus.com/bid/99020
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- digital_editions Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading functions in the installer plugin. A successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3097&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3097 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3097
BID http://www.securityfocus.com/bid/99024
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- flash_player Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability in the Primetime SDK functionality related to the profile metadata of the media stream. Successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3083&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3083 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3083
BID http://www.securityfocus.com/bid/99023
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
adobe -- flash_player Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability in the advertising metadata functionality. Successful exploitation could lead to arbitrary code execution. 2017-06-20 10.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3084&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) CVE-2017-3084 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3084
BID http://www.securityfocus.com/bid/99023
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
nuevomailer -- nuevomailer SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier allows remote attackers to execute arbitrary SQL commands via the "r" parameter. 2017-06-19 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9730&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-9730 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9730
EXPLOIT-DB https://www.exploit-db.com/exploits/42193/
uclibc -- uclibc In uClibc 0.9.33.2, there is an out-of-bounds read in the get_subexp function in misc/regex/regexec.c when processing a crafted regular expression. 2017-06-16 7.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9728&vector=(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVE-2017-9728 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9728
MISC http://openwall.com/lists/oss-security/2017/06/16/4
Back to top https://www.us-cert.gov#top
Medium Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info
adobe -- captivate Adobe Captivate versions 9 and earlier have an information disclosure vulnerability resulting from abuse of the quiz reporting feature in Captivate. 2017-06-20 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-3087&vector=(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-3087 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3087
CONFIRM https://helpx.adobe.com/security/products/captivate/apsb17-19.html
apache -- thrift The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function. 2017-06-16 4.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2015-3254&vector=(AV:N/AC:L/Au:S/C:N/I:N/A:P) CVE-2015-3254 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3254
CONFIRM http://grokbase.com/t/thrift/user/15c2tss3td/notice-apache-thrift-security-vulnerability-cve-2015-1774
BID http://www.securityfocus.com/bid/99112
CONFIRM https://issues.apache.org/jira/browse/THRIFT-3231
MLIST https://mail-archives.apache.org/mod_mbox/thrift-user/201512.mbox/%3CCANyrgvcjvEcjTVmaL+tVXCBm4o5G+1neu=MUubD9GbU85bO_Ew@mail.gmail.com%3E
cmsmadesimple -- cms_made_simple In admin\addgroup.php in CMS Made Simple 2.1.6, when adding a user group, there is no XSS filtering, resulting in storage-type XSS generation, via the description parameter in an addgroup action. 2017-06-18 4.3 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9668&vector=(AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-2017-9668 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9668
MISC https://github.com/XiaoZhis/ProjectSend/issues/2
uclibc -- uclibc In uClibc 0.9.33.2, there is stack exhaustion (uncontrolled recursion) in the check_dst_limits_calc_pos_1 function in misc/regex/regexec.c when processing a crafted regular expression. 2017-06-16 5.0 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9729&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-2017-9729 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9729
MISC http://openwall.com/lists/oss-security/2017/06/16/4
zenbership -- zenbership SQL Injection exists in admin/index.php in Zenbership 1.0.8 via the filters array parameter, exploitable by a privileged account. 2017-06-19 6.5 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9759&vector=(AV:N/AC:L/Au:S/C:P/I:P/A:P) CVE-2017-9759 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9759
BID http://www.securityfocus.com/bid/99147
MISC https://www.vulnerability-lab.com/get_content.php?id=2073
Back to top https://www.us-cert.gov#top
Low Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info
linux -- linux_kernel sound/core/timer.c in the Linux kernel before 4.11.5 is vulnerable to a data race in the ALSA /dev/snd/timer driver resulting in local users being able to read information belonging to other users, i.e., uninitialized memory contents may be disclosed when a read and an ioctl happen at the same time. 2017-06-17 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-1000380&vector=(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVE-2017-1000380 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000380
MISC http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ba3021b2c79b2fa9114f92790a99deb27a65b728
MISC http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d11662f4f798b50d8c8743f433842c3e40fe3378
MISC http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.5
MISC http://www.openwall.com/lists/oss-security/2017/06/12/2
BID http://www.securityfocus.com/bid/99121
MISC https://github.com/torvalds/linux/commit/ba3021b2c79b2fa9114f92790a99deb27a65b728
MISC https://github.com/torvalds/linux/commit/d11662f4f798b50d8c8743f433842c3e40fe3378
qemu -- qemu Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device. 2017-06-16 1.9 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9373&vector=(AV:L/AC:M/Au:N/C:N/I:N/A:P) CVE-2017-9373 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9373
CONFIRM http://git.qemu.org/?p=qemu.git;a=commit;h=d68f0f778e7f4fbd674627274267f269e40f0b04
MLIST http://www.openwall.com/lists/oss-security/2017/06/05/1
BID http://www.securityfocus.com/bid/98921
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1458270
qemu -- qemu Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device. 2017-06-16 2.1 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9374&vector=(AV:L/AC:L/Au:N/C:N/I:N/A:P) CVE-2017-9374 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9374
CONFIRM http://git.qemu.org/?p=qemu.git;a=commit;h=d710e1e7bd3d5bfc26b631f02ae87901ebe646b0
MLIST http://www.openwall.com/lists/oss-security/2017/06/06/3
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1459132
qemu -- qemu QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing. 2017-06-16 1.9 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9375&vector=(AV:L/AC:M/Au:N/C:N/I:N/A:P) CVE-2017-9375 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9375
CONFIRM http://git.qemu.org/?p=qemu.git;a=commit;h=96d87bdda3919bb16f754b3d3fd1227e1f38f13c
MLIST http://www.openwall.com/lists/oss-security/2017/06/05/2
BID http://www.securityfocus.com/bid/98915
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1458744
qemu -- qemu QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing. 2017-06-16 1.9 https://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2017-9503&vector=(AV:L/AC:M/Au:N/C:N/I:N/A:P) CVE-2017-9503 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9503
MLIST http://www.openwall.com/lists/oss-security/2017/06/08/1
BID http://www.securityfocus.com/bid/99010
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=1459477
MLIST https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01309.html
MLIST https://lists.gnu.org/archive/html/qemu-devel/2017-06/msg01313.html
Back to top https://www.us-cert.gov#top
Severity Not Yet Assigned
Primary
Vendor -- Product Description Published CVSS Score Source & Patch Info
acronis_international -- true_image
Acronis True Image up to and including version 2017 Build 8053 performs software updates using HTTP. Downloaded updates are only verified using a server-provided MD5 hash. 2017-06-21 not yet calculated CVE-2017-3219 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3219
BID http://www.securityfocus.com/bid/99128
CERT-VN https://www.kb.cert.org/vuls/id/489392
adobe -- digital_editions
Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading of editor control library functions in the installer plugin. A successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3092 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3092
BID http://www.securityfocus.com/bid/99024
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- digital_editions
Adobe Digital Editions versions 4.5.4 and earlier contain an insecure library loading vulnerability. The vulnerability is due to unsafe library loading of browser related library extensions in the installer plugin. A successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3090 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3090
BID http://www.securityfocus.com/bid/99024
CONFIRM https://helpx.adobe.com/security/products/Digital-Editions/apsb17-20.html
adobe -- flash Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability during internal computation caused by multiple display object mask manipulations. Successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3081 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3081
BID http://www.securityfocus.com/bid/99023
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
adobe -- flash
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable memory corruption vulnerability in the PNG image parser. Successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3077 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3077
BID http://www.securityfocus.com/bid/99025
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
adobe -- flash
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable memory corruption vulnerability in the internal representation of raster data. Successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3079 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3079
BID http://www.securityfocus.com/bid/99025
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
adobe -- flash
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable memory corruption vulnerability in the MPEG-4 AVC module. Successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3076 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3076
BID http://www.securityfocus.com/bid/99025
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
adobe -- flash
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable memory corruption vulnerability in the Adobe Texture Format (ATF) module. Successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3078 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3078
BID http://www.securityfocus.com/bid/99025
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
adobe -- flash
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable use after free vulnerability when manipulating the ActionsScript 2 XML class. Successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3075 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3075
BID http://www.securityfocus.com/bid/99023
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
adobe -- flash
Adobe Flash Player versions 25.0.0.171 and earlier have an exploitable memory corruption vulnerability in the LocaleID class. Successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3082 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3082
BID http://www.securityfocus.com/bid/99025
CONFIRM https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
adobe -- shockwave
Adobe Shockwave versions 12.2.8.198 and earlier have an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution. 2017-06-20 not yet calculated CVE-2017-3086 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3086
BID http://www.securityfocus.com/bid/99019
CONFIRM https://helpx.adobe.com/security/products/shockwave/apsb17-18.html
apache -- hpptd
The HTTP strict parsing changes added in Apache httpd 2.2.32 and 2.4.24 introduced a bug in token list parsing, which allows ap_find_token() to search past the end of its input string. By maliciously crafting a sequence of request headers, an attacker may be able to cause a segmentation fault, or to force ap_find_token() to return an incorrect value. 2017-06-19 not yet calculated CVE-2017-7668 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7668
BID http://www.securityfocus.com/bid/99137
MLIST https://lists.apache.org/thread.html/55a068b6a5eec0b3198ae7d96a7cb412352d0ffa7716612c5af3745b@%3Cdev.httpd.apache.org%3E
apache -- hpptd
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header. 2017-06-19 not yet calculated CVE-2017-7679 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7679
BID http://www.securityfocus.com/bid/99170
MLIST https://lists.apache.org/thread.html/f4515e580dfb6eeca589a5cdebd4c4c709ce632b12924f343c3b7751@%3Cdev.httpd.apache.org%3E
apache -- httpd
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port. 2017-06-19 not yet calculated CVE-2017-3169 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3169
BID http://www.securityfocus.com/bid/99134
MLIST https://lists.apache.org/thread.html/84bf7fcc5cad35d355f11839cbdd13cbc5ffc1d34675090bff0f96ae@%3Cdev.httpd.apache.org%3E
apache -- httpd
In Apache httpd 2.2.x before 2.2.33 and 2.4.x before 2.4.26, use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed. 2017-06-19 not yet calculated CVE-2017-3167 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3167
BID http://www.securityfocus.com/bid/99135
MLIST https://lists.apache.org/thread.html/8409e41a8f7dd9ded37141c38df001be930115428c3d64f70bbdb8b4@%3Cdev.httpd.apache.org%3E
apcupsd -- apcupsd
In Adam Kropelin adk0212 APC UPS Daemon through 3.14.14, the default installation of APCUPSD allows a local authenticated, but unprivileged, user to run arbitrary code with elevated privileges by replacing the service executable apcupsd.exe with a malicious executable that will run with SYSTEM privileges at startup. This occurs because of "RW NT AUTHORITY\Authenticated Users" permissions for %SYSTEMDRIVE%\apcupsd\bin\apcupsd.exe. 2017-06-16 not yet calculated CVE-2017-7884 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7884
MISC http://seclists.org/fulldisclosure/2017/Jun/20
BID http://www.securityfocus.com/bid/99092
binutils -- binutils opcodes/rx-decode.opc in GNU Binutils 2.28 lacks bounds checks for certain scale arrays, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9750 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9750
BID http://www.securityfocus.com/bid/99118
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21587
binutils -- binutils The ieee_object_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. NOTE: this may be related to a compiler bug. 2017-06-19 not yet calculated CVE-2017-9748 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9748
BID http://www.securityfocus.com/bid/99110
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21582
binutils -- binutils The ieee_archive_p function in bfd/ieee.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, might allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. NOTE: this may be related to a compiler bug. 2017-06-19 not yet calculated CVE-2017-9747 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9747
BID http://www.securityfocus.com/bid/99114
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21581
binutils -- binutils
The *regs* macros in opcodes/bfin-dis.c in GNU Binutils 2.28 allow remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9749 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9749
BID http://www.securityfocus.com/bid/99113
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21586
binutils -- binutils
The versados_mkobject function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not initialize a certain data structure, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9753 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9753
BID http://www.securityfocus.com/bid/99116
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21591
binutils -- binutils
The process_otr function in bfd/versados.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, does not validate a certain offset, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9754 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9754
BID http://www.securityfocus.com/bid/99125
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21591
binutils -- binutils
opcodes/i386-dis.c in GNU Binutils 2.28 does not consider the number of registers for bnd mode, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9755 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9755
BID http://www.securityfocus.com/bid/99124
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21594
binutils -- binutils
The aarch64_ext_ldst_reglist function in opcodes/aarch64-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9756 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9756
BID http://www.securityfocus.com/bid/99103
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21595
binutils -- binutils
The disassemble_bytes function in objdump.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of rae insns printing for this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9746 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9746
BID http://www.securityfocus.com/bid/99117
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21580
binutils -- binutils
The score_opcodes function in opcodes/score7-dis.c in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9742 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9742
BID http://www.securityfocus.com/bid/99105
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21576
binutils -- binutils
The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9743 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9743
BID http://www.securityfocus.com/bid/99106
MISC https://sourceware.org/bugzilla/show_bug.cgi?id=21577
binutils -- binutils
opcodes/rl78-decode.opc in GNU Binutils 2.28 has an unbounded GETBYTE macro, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9751 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9751
BID http://www.securityfocus.com/bid/99111
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21588
binutils -- binutils
The sh_elf_set_mach_from_flags function in bfd/elf32-sh.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9744 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9744
BID http://www.securityfocus.com/bid/99108
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21578
binutils -- binutils
The _bfd_vms_slurp_etir function in bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9745 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9745
BID http://www.securityfocus.com/bid/99109
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21579
binutils -- binutils
bfd/vms-alpha.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file in the _bfd_vms_get_value and _bfd_vms_slurp_etir functions during "objdump -D" execution. 2017-06-19 not yet calculated CVE-2017-9752 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9752
BID http://www.securityfocus.com/bid/99122
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21589
boa_webserver -- boa_webserver
/cgi-bin/wapopen in BOA Webserver 0.94.14rc21 allows the injection of "../.." using the FILECAMERA variable (sent by GET) to read files with root privileges. 2017-06-23 not yet calculated CVE-2017-9833 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9833
MISC https://pastebin.com/raw/rt7LJvyF
bornfromfire -- android_kernel_huawei_msm8916
The msm_bus_dbg_update_request_write function in drivers/platform/msm/msm_bus/msm_bus_dbg.c in android_kernel_huawei_msm8916 through 2017-06-16 in LineageOS, and possibly other kernels for MSM devices, allows attackers to cause a denial of service (NULL pointer dereference and device crash) via a crafted /sys/kernel/debug/msm-bus-dbg/client-data/update-request write request. 2017-06-16 not yet calculated CVE-2017-6899 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6899
MISC http://blog.secret-team.cn/index.php/archives/5/
BID http://www.securityfocus.com/bid/99107
breezejs -- breeze.server.net
IdeaBlade Breeze Breeze.Server.NET before 1.6.5 allows remote attackers to execute arbitrary code, related to use of TypeNameHandling in JSON deserialization. 2017-06-22 not yet calculated CVE-2017-9424 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9424
MISC http://breeze.github.io/doc-net/release-notes.html
MISC https://www.blackhat.com/us-17/briefings.html#friday-the-13th-json-attacks
cambium_networks -- epmp
An Improper Access Control issue was discovered in Cambium Networks ePMP. After a valid user has used SNMP configuration export, an attacker is able to remotely trigger device configuration backups using specific MIBs. These backups lack proper access control and may allow access to sensitive information and possibly allow for configuration changes. 2017-06-21 not yet calculated CVE-2017-7918 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7918
BID http://www.securityfocus.com/bid/99083
MISC https://ics-cert.us-cert.gov/advisories/ICSA-17-166-01
cambium_networks -- epmp
An Improper Privilege Management issue was discovered in Cambium Networks ePMP. The privileges for SNMP community strings are not properly restricted, which may allow an attacker to gain access to sensitive information and possibly allow for configuration changes. 2017-06-21 not yet calculated CVE-2017-7922 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7922
BID http://www.securityfocus.com/bid/99083
MISC https://ics-cert.us-cert.gov/advisories/ICSA-17-166-01
check_mk -- check_mk
A cross site scripting (XSS) vulnerability exists in Check_MK versions 1.4.0x prior to 1.4.0p6, allowing an unauthenticated remote attacker to inject arbitrary HTML or JavaScript via the _username parameter when attempting authentication to webapi.py, which is returned unencoded with content type text/html. 2017-06-21 not yet calculated CVE-2017-9781 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9781
CONFIRM http://git.mathias-kettner.de/git/?p=check_mk.git;a=blob;f=.werks/4757;hb=c248f0b6ff7b15ced9f07a3df8a80fad656ea5b1
easysite -- webservices
SQL injection vulnerability in C_InfoService.asmx in WebServices in Easysite 7.0 could allow remote attackers to execute arbitrary SQL commands via an XML document containing a crafted ArticleIDs element within a GetArticleHitsArray element. 2017-06-24 not yet calculated CVE-2017-9848 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9848
MISC http://www.2cto.com/article/201409/338712.html
ecava -- integraxor
A SQL Injection issue was discovered in Ecava IntegraXor Versions 5.2.1231.0 and prior. The application fails to properly validate user input, which may allow for an unauthenticated attacker to remotely execute arbitrary code in the form of SQL queries. 2017-06-21 not yet calculated CVE-2017-6050 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6050
BID http://www.securityfocus.com/bid/99164
MISC https://ics-cert.us-cert.gov/advisories/ICSA-17-171-01
elastic -- kibana
Kibana before 4.5.4 and 4.1.11 are vulnerable to an XSS attack that would allow an attacker to execute arbitrary JavaScript in users' browsers. 2017-06-16 not yet calculated CVE-2016-1000220 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000220
BID http://www.securityfocus.com/bid/99179
CONFIRM https://www.elastic.co/community/security
elastic -- kibana
Kibana before 4.5.4 and 4.1.11 when a custom output is configured for logging in, cookies and authorization headers could be written to the log files. This information could be used to hijack sessions of other users when using Kibana behind some form of authentication such as Shield. 2017-06-16 not yet calculated CVE-2016-1000219 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000219
BID http://www.securityfocus.com/bid/99178
CONFIRM https://www.elastic.co/community/security
elastic -- logstach
Logstash prior to version 2.3.4, Elasticsearch Output plugin would log to file HTTP authorization headers which could contain sensitive information. 2017-06-16 not yet calculated CVE-2016-1000221 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1000221
BID http://www.securityfocus.com/bid/99126
CONFIRM https://www.elastic.co/community/security
elastic -- logstach
Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating connections after sniffing, would log to file HTTP basic auth credentials. 2017-06-16 not yet calculated CVE-2016-10362 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-10362
BID http://www.securityfocus.com/bid/99154
CONFIRM https://www.elastic.co/community/security
ellislab -- expressionengine
ExpressionEngine version 2.x < 2.11.8 and version 3.x < 3.5.5 create an object signing token with weak entropy. Successfully guessing the token can lead to remote code execution. 2017-06-22 not yet calculated CVE-2017-0897 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0897
CONFIRM https://docs.expressionengine.com/latest/about/changelog.html#version-3-5-5
CONFIRM https://docs.expressionengine.com/v2/about/changelog.html#version-2-11-8
CONFIRM https://expressionengine.com/blog/expressionengine-3.5.5-and-2.11.8-released
MISC https://hackerone.com/reports/215890
emc_corportation -- isilon_onefs EMC Isilon OneFS 8.0.1.0, 8.0.0 - 8.0.0.3, 7.2.0 - 7.2.1.4, 7.1.x is affected by a privilege escalation vulnerability that could potentially be exploited by attackers to compromise the affected system. 2017-06-21 not yet calculated CVE-2017-4988 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-4988
CONFIRM http://www.securityfocus.com/archive/1/540755/30/0/threaded
BID http://www.securityfocus.com/bid/99165
emc_corportation -- vavamar_server_software
In EMC Avamar Server Software 7.4.1-58, 7.4.0-242, 7.3.1-125, 7.3.0-233, 7.3.0-226, an unauthorized attacker may leverage the file upload feature of the system maintenance page to load a maliciously crafted file to any directory which could allow the attacker to execute arbitrary code on the Avamar Server system. 2017-06-21 not yet calculated CVE-2017-4990 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-4990
CONFIRM http://www.securityfocus.com/archive/1/540754/30/0/threaded
emc_corportation -- vavamar_server_software
In EMC Avamar Server Software 7.3.1-125, 7.3.0-233, 7.3.0-226, 7.2.1-32, 7.2.1-31, 7.2.0-401, an unauthenticated remote attacker may potentially bypass the authentication process to gain access to the system maintenance page. This may be exploited by an attacker to view sensitive information, perform software updates, or run maintenance workflows. 2017-06-21 not yet calculated CVE-2017-4989 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-4989
CONFIRM http://www.securityfocus.com/archive/1/540754/30/0/threaded
emc_corportation -- vnx
In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, a local authenticated user can load a maliciously crafted file in the search path which may potentially allow the attacker to execute arbitrary code on the targeted VNX Control Station system, aka an uncontrolled search path vulnerability. 2017-06-19 not yet calculated CVE-2017-4987 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-4987
CONFIRM http://www.securityfocus.com/archive/1/540738/30/0/threaded
BID http://www.securityfocus.com/bid/99045
emc_corportation -- vnx
In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, a local authenticated user may potentially escalate their privileges to root due to authorization checks not being performed on certain perl scripts. This may potentially be exploited by an attacker to run arbitrary commands as root on the targeted VNX Control Station system. 2017-06-19 not yet calculated CVE-2017-4985 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-4985
CONFIRM http://www.securityfocus.com/archive/1/540738/30/0/threaded
BID http://www.securityfocus.com/bid/99037
emc_corportation -- vnx
In EMC VNX2 versions prior to OE for File 8.1.9.211 and VNX1 versions prior to OE for File 7.1.80.8, an unauthenticated remote attacker may be able to elevate their permissions to root through a command injection. This may potentially be exploited by an attacker to run arbitrary code with root-level privileges on the targeted VNX Control Station system, aka remote code execution. 2017-06-19 not yet calculated CVE-2017-4984 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-4984
CONFIRM http://www.securityfocus.com/archive/1/540738/30/0/threaded
BID http://www.securityfocus.com/bid/99039
exim -- exim
Exim supports the use of multiple "-p" command line arguments which are malloc()'ed and never free()'ed, used in conjunction with other issues allows attackers to cause arbitrary code execution. This affects exim version 4.89 and earlier. Please note that at this time upstream has released a patch (commit 65e061b76867a9ea7aeeb535341b790b90ae6c21), but it is not known if a new point release is available that addresses this issue at this time. 2017-06-19 not yet calculated CVE-2017-1000369 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000369
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000369
MISC https://github.com/Exim/exim/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
faac_project -- freeware_advanced_audio_coder
The faacEncOpen function in libfaac/frame.c in Freeware Advanced Audio Coder (FAAC) 1.28 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. 2017-06-21 not yet calculated CVE-2017-9130 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9130
EXPLOIT-DB https://www.exploit-db.com/exploits/42207/
faac_project -- freeware_advanced_audio_coder
The wav_open_read function in frontend/input.c in Freeware Advanced Audio Coder (FAAC) 1.28 allows remote attackers to cause a denial of service (large loop) via a crafted wav file. 2017-06-21 not yet calculated CVE-2017-9129 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9129
EXPLOIT-DB https://www.exploit-db.com/exploits/42207/
flatpak -- flatpak
In Flatpak before 0.8.7, a third-party app repository could include malicious apps that contain files with inappropriate permissions, for example setuid or world-writable. The files are deployed with those permissions, which would let a local attacker run the setuid executable or write to the world-writable location. In the case of the "system helper" component, files deployed as part of the app are owned by root, so in the worst case they could be setuid root. 2017-06-21 not yet calculated CVE-2017-9780 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9780
CONFIRM https://bugs.debian.org/865413
CONFIRM https://github.com/flatpak/flatpak/issues/845
foscam -- c1
Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not have port 50021 blocked by an intermediate device. 2017-06-21 not yet calculated CVE-2016-8731 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8731
BID http://www.securityfocus.com/bid/99193
MISC https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0245
foscam -- c1
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. 2017-06-21 not yet calculated CVE-2017-2827 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2827
BID http://www.securityfocus.com/bid/99184
MISC https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0328
foscam -- c1
An exploitable buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can cause a buffer overflow resulting in overwriting arbitrary data. An attacker can simply send an HTTP request to the device to trigger this vulnerability. 2017-06-21 not yet calculated CVE-2017-2830 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2830
BID http://www.securityfocus.com/bid/99190
MISC https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0331
foscam -- c1
An exploitable directory traversal vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can cause the application to read a file from disk but a failure to adequately filter characters results in allowing an attacker to specify a file outside of a directory. An attacker can simply send an HTTP request to the device to trigger this vulnerability. 2017-06-21 not yet calculated CVE-2017-2829 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2829
MISC https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0330
foscam -- c1
An exploitable buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can cause a buffer overflow resulting in overwriting arbitrary data. An attacker can simply send an HTTP request to the device to trigger this vulnerability. 2017-06-21 not yet calculated CVE-2017-2831 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2831
BID http://www.securityfocus.com/bid/99190
MISC https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0332
foscam -- c1
An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.37. A specially crafted HTTP request can allow for a user to inject arbitrary shell characters during account creation resulting in command injection. An attacker can simply send an HTTP request to the device to trigger this vulnerability. 2017-06-21 not yet calculated CVE-2017-2828 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2828
BID http://www.securityfocus.com/bid/99184
MISC https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0329
foscam -- c1
An exploitable stack-based buffer overflow vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera. A specially crafted http request can cause a stack-based buffer overflow resulting in overwriting arbitrary data on the stack frame. An attacker can simply send an http request to the device to trigger this vulnerability. 2017-06-21 not yet calculated CVE-2017-2805 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2805
BID http://www.securityfocus.com/bid/99190
MISC https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0299
glpi_project -- glpi
Multiple SQL injection vulnerabilities in GLPI 0.90.4 allow an authenticated remote attacker to execute arbitrary SQL commands by using a certain character when the database is configured to use Big5 Asian encoding. 2017-06-21 not yet calculated CVE-2016-7508 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-7508
MISC https://github.com/glpi-project/glpi/issues/1047
gnu_project -- glibc
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier. 2017-06-19 not yet calculated CVE-2017-1000366 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000366
BID http://www.securityfocus.com/bid/99127
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000366
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
CONFIRM https://www.suse.com/security/cve/CVE-2017-1000366/
CONFIRM https://www.suse.com/support/kb/doc/?id=7020973
gnu_project -- gnu_debugger
GNU Debugger (GDB) 8.0 and earlier fails to detect a negative length field in a DWARF section. A malformed section in an ELF binary or a core file can cause GDB to repeatedly allocate memory until a process limit is reached. This can, for example, impede efforts to analyze malware with GDB. 2017-06-21 not yet calculated CVE-2017-9778 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9778
CONFIRM https://sourceware.org/bugzilla/show_bug.cgi?id=21600
gnutls -- gnutls
GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer dereference while decoding a status response TLS extension with valid contents. This could lead to a crash of the GnuTLS server application. 2017-06-16 not yet calculated CVE-2017-7507 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7507
BID http://www.securityfocus.com/bid/99102
CONFIRM https://www.gnutls.org/security.html#GNUTLS-SA-2017-4
horde -- horde_image_2.x
Remote Code Execution was found in Horde_Image 2.x before 2.5.0 via a crafted GET request. Exploitation requires authentication. 2017-06-21 not yet calculated CVE-2017-9774 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9774
CONFIRM https://lists.horde.org/archives/announce/2017/001234.html
horde -- horde_image_2.x
Denial of Service was found in Horde_Image 2.x before 2.5.0 via a crafted URL to the "Null" image driver. 2017-06-21 not yet calculated CVE-2017-9773 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9773
CONFIRM https://lists.horde.org/archives/announce/2017/001234.html
ibm -- relm
IBM RELM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. 2017-06-22 not yet calculated CVE-2016-9747 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9747
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004734
BID http://www.securityfocus.com/bid/99189
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/119822
ibm -- spectrum_scale/gpfs
IBM has identified a vulnerability with IBM Spectrum Scale/GPFS utilized on the Elastic Storage Server (ESS)/GPFS Storage Server (GSS) during testing of an unsupported configuration, where users applications are running on an active ESS I/O server node and utilize direct I/O to perform a read or a write to a Spectrum Scale file. This vulnerability may result in the use of an incorrect memory address, leading to a Spectrum Scale/GPFS daemon failure with a Signal 11, and possibly leading to denial of service or undetected data corruption. IBM X-Force ID: 125458. 2017-06-21 not yet calculated CVE-2017-1304 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1304
CONFIRM http://www.ibm.com/support/docview.wss?uid=ssg1S1010230
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/125458
ibm -- sterling_b2b_integrator_standard_edition IBM Sterling B2B Integrator Standard Edition 5.2 could allow user to obtain sensitive information using an HTTP GET request. IBM X-Force ID: 123667. 2017-06-23 not yet calculated CVE-2017-1193 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1193
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004202
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/123667
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 121418. 2017-06-23 not yet calculated CVE-2017-1132 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1132
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004199
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/121418
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling File Gateway does not properly restrict user requests based on permission level. This allows for users to update data related to other users, by manipulating the parameters passed in the POST request. IBM X-Force ID: 126060. 2017-06-22 not yet calculated CVE-2017-1326 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1326
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004274
BID http://www.securityfocus.com/bid/99183
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/126060
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authenticated user to obtain sensitive information by using unsupported, specially crafted HTTP commands. IBM X-Force ID: 121375. 2017-06-23 not yet calculated CVE-2017-1131 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1131
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004270
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/121375
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 126462. 2017-06-23 not yet calculated CVE-2017-1347 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1347
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004199
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/126462
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 126524. 2017-06-23 not yet calculated CVE-2017-1348 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1348
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004199
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/126524
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 115336. 2017-06-23 not yet calculated CVE-2016-5893 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-5893
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004272
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/115336
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 could allow a local user view sensitive information due to improper access controls. IBM X-Force ID: 125456. 2017-06-23 not yet calculated CVE-2017-1302 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1302
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004202
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/125456
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 stores potentially sensitive information from HTTP sessions that could be read by a local user. IBM X-Force ID: 126525. 2017-06-23 not yet calculated CVE-2017-1349 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1349
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004209
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/126525
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authenticated user with special privileges to view files that they should not have access to. IBM X-Force ID: 120275. 2017-06-22 not yet calculated CVE-2016-9983 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9983
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004273
BID http://www.securityfocus.com/bid/99198
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/120275
ibm -- sterling_b2b_integrator_standard_edition
IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authenticated user to obtain sensitive information such as account lists due to improper access control. IBM X-Force ID: 120274. 2017-06-22 not yet calculated CVE-2016-9982 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9982
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22004273
BID http://www.securityfocus.com/bid/99197
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/120274
ibm -- websphere_mq
IBM WebSphere MQ 8.0 and 9.0 could allow an authenticated user to cause a denial of service to the MQXR channel when trace is enabled. IBM X-Force ID: 121155. 2017-06-21 not yet calculated CVE-2017-1117 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1117
CONFIRM http://www.ibm.com/support/docview.wss?uid=swg22001468
BID http://www.securityfocus.com/bid/99136
MISC https://exchange.xforce.ibmcloud.com/vulnerabilities/121155
inside_secure -- matrixssl
An exploitable heap buffer overflow vulnerability exists in the X509 certificate parsing functionality of Inside Secure MatrixSSL 3.8.7b. A specially crafted x509 certificate can cause a buffer overflow on the heap resulting in remote code execution. To trigger this vulnerability, a specially crafted x509 certificate must be presented to the vulnerable client or server application when initiating secure connection. 2017-06-22 not yet calculated CVE-2017-2780 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2780
MISC https://talosintelligence.com/vulnerability_reports/TALOS-2017-0276
inside_secure -- matrixssl
An exploitable heap buffer overflow vulnerability exists in the X509 certificate parsing functionality of InsideSecure MatrixSSL 3.8.7b. A specially crafted x509 certificate can cause a buffer overflow on the heap resulting in remote code execution. To trigger this vulnerability, a specially crafted x509 certificate must be presented to the vulnerable client or server application when initiating secure connection. 2017-06-22 not yet calculated CVE-2017-2781 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2781
MISC https://talosintelligence.com/vulnerability_reports/TALOS-2017-0277
inside_secure -- matrixssl
An integer overflow vulnerability exists in the X509 certificate parsing functionality of InsideSecure MatrixSSL 3.8.7b. A specially crafted x509 certificate can cause a length counter to overflow, leading to a controlled out of bounds copy operation. To trigger this vulnerability, a specially crafted x509 certificate must be presented to the vulnerable client or server application when initiating secure connection 2017-06-22 not yet calculated CVE-2017-2782 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2782
MISC https://talosintelligence.com/vulnerability_reports/TALOS-2017-0278
ipfire_project -- ipfire
IPFire 2.19 has a Remote Command Injection vulnerability in ids.cgi via the OINKCODE parameter, which is mishandled by a shell. This can be exploited directly by authenticated users, or through CSRF. 2017-06-19 not yet calculated CVE-2017-9757 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9757
BID http://www.securityfocus.com/bid/99173
MISC https://twitter.com/0x09AL/status/873860385652256768
EXPLOIT-DB https://www.exploit-db.com/exploits/42149/
irfan_skiljan -- irfan
An exploitable integer overflow vulnerability exists in the JPEG 2000 parser functionality of IrfanView 4.44. A specially crafted jpeg2000 image can cause an integer overflow leading to wrong memory allocation resulting in arbitrary code execution. Vulnerability can be triggered by viewing the image in via the application or by using thumbnailing feature of IrfanView. 2017-06-21 not yet calculated CVE-2017-2813 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-2813
BID http://www.securityfocus.com/bid/98046
MISC https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0310
jasper -- jasper
JasPer 2.0.12 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted image, related to the jp2_decode function in libjasper/jp2/jp2_dec.c. 2017-06-21 not yet calculated CVE-2017-9782 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9782
MISC https://github.com/mdadams/jasper/issues/140
jetty -- jetty
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. 2017-06-16 not yet calculated CVE-2017-9735 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9735
BID http://www.securityfocus.com/bid/99104
MISC https://bugs.debian.org/864631
MISC https://github.com/eclipse/jetty.project/issues/1556
lenovo -- lenovo_system_x_servers
In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands. 2017-06-19 not yet calculated CVE-2017-3744 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3744
CONFIRM https://support.lenovo.com/product_security/LEN-14054
lenovo -- multiple_products
If multiple users are concurrently logged into a single system where one user is sending a command via the Lenovo ToolsCenter Advanced Settings Utility (ASU), UpdateXpress System Pack Installer (UXSPI) or Dynamic System Analysis (DSA) to a second machine, the other users may be able to see the user ID and clear text password that were used to access the second machine during the time the command is processing. 2017-06-19 not yet calculated CVE-2017-3743 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3743
CONFIRM https://support.lenovo.com/us/en/product_security/LEN-10810
lenovo -- xclarity_administrator
In Lenovo XClarity Administrator (LXCA) before 1.3.0, if service data is downloaded from LXCA, a non-administrative user may have access to password information for users that have previously authenticated to the LXCA's internal LDAP server, including administrative accounts and service accounts with administrative privileges. This is an issue only for users who have used local authentication with LXCA and not remote authentication against external LDAP or ADFS servers. 2017-06-19 not yet calculated CVE-2017-3745 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3745
CONFIRM https://support.lenovo.com/us/en/product_security/LEN-13671
libmtp -- libmtp
An integer overflow vulnerability in ptp-pack.c (ptp_unpack_OPL function) of libmtp (version 1.1.12 and below) allows attackers to cause a denial of service (out-of-bounds memory access) or maybe remote code execution by inserting a mobile device into a personal computer through a USB cable. 2017-06-23 not yet calculated CVE-2017-9832 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9832
CONFIRM https://sourceforge.net/p/libmtp/mailman/message/35729062
libmtp -- libmtp
An integer overflow vulnerability in the ptp_unpack_EOS_CustomFuncEx function of the ptp-pack.c file of libmtp (version 1.1.12 and below) allows attackers to cause a denial of service (out-of-bounds memory access) or maybe remote code execution by inserting a mobile device into a personal computer through a USB cable. 2017-06-23 not yet calculated CVE-2017-9831 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9831
CONFIRM https://sourceforge.net/p/libmtp/mailman/message/35735992/
libnffi -- libnffi
libffi requests an executable stack allowing attackers to more easily trigger arbitrary code execution by overwriting the stack. Please note that libffi is used by a number of other libraries. This affects libffi version 3.2.1. 2017-06-19 not yet calculated CVE-2017-1000376 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000376
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000376
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
libtiff -- libtiff
In LibTIFF 4.0.7, the TIFFReadDirEntryLong8Array function in libtiff/tif_dirread.c mishandles a malloc operation, which allows attackers to cause a denial of service (memory leak within the function _TIFFmalloc in tif_unix.c) via a crafted file. 2017-06-22 not yet calculated CVE-2017-9815 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9815
MISC http://bugzilla.maptools.org/show_bug.cgi?id=2682
MISC http://somevulnsofadlab.blogspot.jp/2017/06/libtiffmemory-leak-in-tiffmalloc.html
BID http://www.securityfocus.com/bid/99235
libtorrent -- libtorrent
The bdecode function in bdecode.cpp in libtorrent 1.1.3 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted file. 2017-06-24 not yet calculated CVE-2017-9847 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9847
CONFIRM https://github.com/arvidn/libtorrent/issues/2099
linux -- linux_kernel
An issue was discovered in the size of the stack guard page on Linux, specifically a 4k stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects Linux Kernel versions 4.11.5 and earlier (the stackguard page was introduced in 2010). 2017-06-19 not yet calculated CVE-2017-1000364 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000364
BID http://www.securityfocus.com/bid/99130
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000364
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
CONFIRM https://www.suse.com/security/cve/CVE-2017-1000364/
CONFIRM https://www.suse.com/support/kb/doc/?id=7020973
linux -- linux_kernel
The Linux Kernel running on AMD64 systems will sometimes map the contents of PIE executable, the heap or ld.so to where the stack is mapped allowing attackers to more easily manipulate the stack. Linux Kernel version 4.11.5 is affected. 2017-06-19 not yet calculated CVE-2017-1000379 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000379
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000379
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
linux -- linux_kernel
The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIM_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation. This affects Linux Kernel versions 4.11.5 and earlier. It appears that this feature was introduced in the Linux Kernel version 2.6.23. 2017-06-19 not yet calculated CVE-2017-1000365 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000365
BID http://www.securityfocus.com/bid/99156
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000365
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
linux -- linux_kernel
The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems. 2017-06-19 not yet calculated CVE-2017-1000370 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000370
BID http://www.securityfocus.com/bid/99149
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000370
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
linux -- linux_kernel
An issue was discovered in the size of the default stack guard page on PAX Linux (originally from GRSecurity but shipped by other Linux vendors), specifically the default stack guard page is not sufficiently large and can be "jumped" over (the stack guard page is bypassed), this affects PAX Linux Kernel versions as of June 19, 2017 (specific version information is not available at this time). 2017-06-19 not yet calculated CVE-2017-1000377 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000377
BID http://www.securityfocus.com/bid/99129
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000377
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
linux -- linux_kernel
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems. 2017-06-19 not yet calculated CVE-2017-1000371 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000371
BID http://www.securityfocus.com/bid/99131
CONFIRM https://access.redhat.com/security/cve/CVE-2017-1000371
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
mcafee -- data_loss_prevention_endpoint
Cross Site Scripting (XSS) in IMG Tags in the ePO extension in McAfee Data Loss Prevention Endpoint (DLP Endpoint) 10.0.x allows authenticated users to inject arbitrary web script or HTML via injecting malicious JavaScript into a user's browsing session. 2017-06-23 not yet calculated CVE-2017-3948 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3948
CONFIRM https://kc.mcafee.com/corporate/index?page=content&id=SB10202
microsoft -- windows
A buffer overflow in Smart Card authentication code in gpkcsp.dll in Microsoft Windows XP through SP3 and Server 2003 through SP2 allows a remote attacker to execute arbitrary code on the target computer, provided that the computer is joined in a Windows domain and has Remote Desktop Protocol connectivity (or Terminal Services) enabled. 2017-06-22 not yet calculated CVE-2017-0176 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-0176
BID http://www.securityfocus.com/bid/98550
BID http://www.securityfocus.com/bid/98752
MISC https://blog.fortinet.com/2017/05/11/deep-analysis-of-esteemaudit
MISC https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
CONFIRM https://support.microsoft.com/en-us/help/4022747/security-update-for-windows-xp-and-windows-server-2003
milwaukee_tool -- one-key_android_mobile_app
The Milwaukee ONE-KEY Android mobile application uses bearer tokens with an expiration of one year. This bearer token, in combination with a user_id can be used to perform user actions. 2017-06-19 not yet calculated CVE-2017-3215 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3215
MISC https://duo.com/blog/bug-hunting-drilling-into-the-internet-of-things-iot
milwaukee_tool -- one-key_android_mobile_app
The Milwaukee ONE-KEY Android mobile application stores the master token in plaintext in the apk binary. 2017-06-19 not yet calculated CVE-2017-3214 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3214
MISC https://duo.com/blog/bug-hunting-drilling-into-the-internet-of-things-iot
multiple_vendors -- wimax_routers
WiMAX routers based on the MediaTek SDK (libmtk) that use a custom httpd plugin are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to gain administrator access to the device by performing an administrator password change on the device via a crafted POST request. 2017-06-19 not yet calculated CVE-2017-3216 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3216
MISC http://blog.sec-consult.com/2017/06/ghosts-from-past-authentication-bypass.html
CERT-VN http://www.kb.cert.org/vuls/id/350135
MISC https://sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170607-0_Various_WiMAX_CPEs_Authentication_Bypass_v10.txt
netbsd -- netbsd
NetBSD maps the run-time link-editor ld.so directly below the stack region, even if ASLR is enabled, this allows attackers to more easily manipulate memory leading to arbitrary code execution. This affects NetBSD 7.1 and possibly earlier versions. 2017-06-19 not yet calculated CVE-2017-1000375 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000375
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
netbsd -- netbsd
A flaw exists in NetBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using certain setuid binaries. This affects NetBSD 7.1 and possibly earlier versions. 2017-06-19 not yet calculated CVE-2017-1000374 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000374
BID http://www.securityfocus.com/bid/99176
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
netbsd -- netbsd
The NetBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack memory to assist in arbitrary code execution attacks. This affects NetBSD 7.1 and possibly earlier versions. 2017-06-19 not yet calculated CVE-2017-1000378 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000378
MISC http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/stdlib/qsort.c?rev=1.23&content-type=text/x-cvsweb-markup
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
ocaml -- ocaml
Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4.04.1 allows external code to be executed with raised privilege in binaries marked as setuid, by setting the CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, or CAML_BYTE_CPLUGINS environment variable. 2017-06-23 not yet calculated CVE-2017-9772 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9772
CONFIRM https://caml.inria.fr/mantis/view.php?id=7557
CONFIRM https://sympa.inria.fr/sympa/arc/caml-list/2017-06/msg00094.html
openbsd_project -- openbsd
The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack memory to assist in arbitrary code execution attacks. This affects OpenBSD 6.1 and possibly earlier versions. 2017-06-19 not yet calculated CVE-2017-1000373 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000373
BID http://www.securityfocus.com/bid/99177
MISC https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/qsort.c?rev=1.15&content-type=text/x-cvsweb-markup
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
openbsd_project -- openbsd
A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions. 2017-06-19 not yet calculated CVE-2017-1000372 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-1000372
BID http://www.securityfocus.com/bid/99172
MISC https://ftp.openbsd.org/pub/OpenBSD/patches/6.1/common/008_exec_subr.patch.sig
MISC https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
openwebif -- openwebif
An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. The saveConfig function of "plugin/controllers/models/config.py" performs an eval() call on the contents of the "key" HTTP GET parameter. This allows an unauthenticated remote attacker to execute arbitrary Python code or OS commands via api/saveconfig. 2017-06-21 not yet calculated CVE-2017-9807 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9807
BID http://www.securityfocus.com/bid/99232
CONFIRM https://github.com/E2OpenPlugins/e2openplugin-OpenWebif/issues/620
oracle -- sun_systems_products_suite
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). 2017-06-22 not yet calculated CVE-2017-3629 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3629
CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
BID http://www.securityfocus.com/bid/99150
oracle -- sun_systems_products_suite
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). 2017-06-22 not yet calculated CVE-2017-3631 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3631
CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
BID http://www.securityfocus.com/bid/99151
oracle -- sun_systems_products_suite
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Solaris accessible data as well as unauthorized read access to a subset of Solaris accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Solaris. CVSS 3.0 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). 2017-06-22 not yet calculated CVE-2017-3630 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3630
CONFIRM http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
BID http://www.securityfocus.com/bid/99153
piwigo -- piwigo
Cross-site scripting (XSS) vulnerability in Piwigo 2.9.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the virtual_name parameter to /admin.php (i.e., creating a virtual album). 2017-06-24 not yet calculated CVE-2017-9836 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9836
MISC https://github.com/Piwigo/Piwigo/issues/716
piwigo -- piwigo
The ws_session_logout function in Piwigo 2.9.1 and earlier does not properly delete user login cookies, which allows remote attackers to gain access via cookie reuse. 2017-06-24 not yet calculated CVE-2017-9837 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9837
MISC https://github.com/Piwigo/Piwigo/issues/717
poppler -- poppler
Stack buffer overflow in GfxState.cc in pdftocairo in Poppler before 0.56 allows remote attackers to cause a denial of service (application crash) via a crafted PDF document. 2017-06-22 not yet calculated CVE-2017-9775 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9775
CONFIRM https://bugs.freedesktop.org/show_bug.cgi?id=101540
poppler -- poppler
Integer overflow leading to Heap buffer overflow in JBIG2Stream.cc in pdftocairo in Poppler before 0.56 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted PDF document. 2017-06-22 not yet calculated CVE-2017-9776 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9776
CONFIRM https://bugs.freedesktop.org/show_bug.cgi?id=101541
projectsend -- r754
install/make-config.php in ProjectSend r754 allows remote attackers to execute arbitrary PHP code via the dbprefix parameter, related to replacing TABLES_PREFIX in the configuration file. 2017-06-18 not yet calculated CVE-2017-9741 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9741
MISC https://github.com/XiaoZhis/ProjectSend/issues/1
radare2 -- radare2
The cmd_info function in libr/core/cmd_info.c in radare2 1.5.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted binary file. 2017-06-19 not yet calculated CVE-2017-9762 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9762
BID http://www.securityfocus.com/bid/99140
CONFIRM https://github.com/radare/radare2/issues/7726
radare2 -- radare2
The find_eoq function in libr/core/cmd.c in radare2 1.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file. 2017-06-19 not yet calculated CVE-2017-9761 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9761
BID http://www.securityfocus.com/bid/99138
CONFIRM https://github.com/radare/radare2/commit/00e8f205475332d7842d0f0d1481eeab4e83017c
CONFIRM https://github.com/radare/radare2/issues/7727
radare2 -- radare2
The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows remote attackers to cause a denial of service (excessive stack use and application crash) via a crafted binary file, related to use of a variable-size stack array. 2017-06-19 not yet calculated CVE-2017-9763 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9763
CONFIRM http://git.savannah.gnu.org/cgit/grub.git/commit/grub-core/fs/ext2.c?id=ac8cac1dac50daaf1c390d701cca3b55e16ee768
BID http://www.securityfocus.com/bid/99141
CONFIRM https://github.com/radare/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd
CONFIRM https://github.com/radare/radare2/issues/7723
redgate -- sql_monitor
In Redgate SQL Monitor before 3.10 and 4.x before 4.2, a remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monitor is connecting to these machines using an account with SQL admin privileges, then code execution on the operating system can result in full system compromise (if Microsoft SQL Server is running with local administrator privileges). 2017-06-22 not yet calculated CVE-2015-9098 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-9098
CONFIRM http://www.red-gate.com/products/dba/sql-monitor/entrypage/security-vulnerability
samsung -- magician
Samsung Magician 5.0 fails to validate TLS certificates for HTTPS software update traffic. Prior to version 5.0, Samsung Magician uses HTTP for software updates. 2017-06-21 not yet calculated CVE-2017-3218 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-3218
BID http://www.securityfocus.com/bid/99081
CERT-VN https://www.kb.cert.org/vuls/id/846320
sitecore -- sitecore.net
Sitecore.NET 7.1 through 7.2 has a Cross Site Scripting Vulnerability via the searchStr parameter to the /Search-Results URI. 2017-06-23 not yet calculated CVE-2017-9356 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9356
MISC http://seclists.org/bugtraq/2017/Jun/43
sophos -- anti-virus_threat_detection_engine
A VMSF_DELTA memory corruption was discovered in unrar before 5.5.5, as used in Sophos Anti-Virus Threat Detection Engine before 3.37.2 and other products, that can lead to arbitrary code execution. An integer overflow can be caused in DataSize+CurChannel. The result is a negative value of the "DestPos" variable, which allows the attacker to write out of bounds when setting Mem[DestPos]. 2017-06-22 not yet calculated CVE-2012-6706 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6706
MISC http://securitytracker.com/id?1027725
MISC http://telussecuritylabs.com/threats/show/TSL20121207-01
MISC https://bugs.chromium.org/p/project-zero/issues/detail?id=1286
MISC https://community.sophos.com/kb/en-us/118424#six
MISC https://lock.cmpxchg8b.com/sophailv2.pdf
MISC https://nakedsecurity.sophos.com/2012/11/05/tavis-ormandy-sophos/
trihedral_engineering -- vtscada
An Information Exposure issue was discovered in Trihedral VTScada Versions prior to 11.2.26. Some files are exposed within the web server application to unauthenticated users. These files may contain sensitive configuration information. 2017-06-21 not yet calculated CVE-2017-6045 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6045
BID http://www.securityfocus.com/bid/99066
MISC https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01
trihedral_engineering -- vtscada
A Cross-Site Scripting issue was discovered in Trihedral VTScada Versions prior to 11.2.26. A cross-site scripting vulnerability may allow JavaScript code supplied by the attacker to execute within the user's browser. 2017-06-21 not yet calculated CVE-2017-6053 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6053
BID http://www.securityfocus.com/bid/99066
MISC https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01
trihedral_engineering -- vtscada
A Resource Consumption issue was discovered in Trihedral VTScada Versions prior to 11.2.26. The client does not properly validate the input or limit the amount of resources that are utilized by an attacker, which can be used to consume more resources than are available. 2017-06-21 not yet calculated CVE-2017-6043 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-6043
BID http://www.securityfocus.com/bid/99066
MISC https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01
vivotek -- network_cameras
'/cgi-bin/admin/testserver.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable to shell command injection, which allows remote attackers to execute any shell command as root via a crafted HTTP request. This vulnerability is already verified on VIVOTEK Network Camera IB8369/FD8164/FD816BA; most others have similar firmware that may be affected. An attack uses shell metacharacters in the senderemail parameter. 2017-06-23 not yet calculated CVE-2017-9828 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9828
MISC https://blog.cal1.cn/post/An%20easy%20way%20to%20pwn%20most%20of%20the%20vivotek%20network%20cameras
vivotek -- network_cameras
'/cgi-bin/admin/downloadMedias.cgi' of the web service in most of the VIVOTEK Network Cameras is vulnerable, which allows remote attackers to read any file on the camera's Linux filesystem via a crafted HTTP request containing ".." sequences. This vulnerability is already verified on VIVOTEK Network Camera IB8369/FD8164/FD816BA; most others have similar firmware that may be affected. 2017-06-23 not yet calculated CVE-2017-9829 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9829
MISC https://blog.cal1.cn/post/An%20easy%20way%20to%20pwn%20most%20of%20the%20vivotek%20network%20cameras
websitebaker_org -- websitebaker
install\save.php in WebsiteBaker v2.10.0 allows remote attackers to execute arbitrary PHP code via the database_username parameter. 2017-06-21 not yet calculated CVE-2017-9771 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9771
MISC https://github.com/XiaoZhis/ProjectSend/issues/3
winmail -- winmail_server
Winmail Server 6.1 allows remote code execution by authenticated users who leverage directory traversal in a netdisk.php move_folder_file call to move a .php file from the FTP folder into a web folder. 2017-06-24 not yet calculated CVE-2017-9846 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9846
MISC http://www.magicwinmail.com/changelog.php
MISC https://github.com/zhonghaozhao/winmail/issues/1
wireshark -- wireshark
In Wireshark 2.2.7, PROFINET IO data with a high recursion depth allows remote attackers to cause a denial of service (stack exhaustion) in the dissect_IODWriteReq function in plugins/profinet/packet-dcerpc-pn-io.c. 2017-06-21 not yet calculated CVE-2017-9766 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-9766
BID http://www.securityfocus.com/bid/99187
CONFIRM https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13811
CONFIRM https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=d6e888400ba64de3147d1111a4c23edf389b0000
Back to top https://www.us-cert.gov#top
---------------------------------------------
This product is provided subject to this Notification http://www.us-cert.gov/privacy/notification and this Privacy & Use http://www.us-cert.gov/privacy/ policy.
---------------------------------------------
A copy of this publication is available at www.us-cert.gov https://www.us-cert.gov . If you need help or have questions, please send an email to info at us-cert.gov mailto:info at us-cert.gov . Do not reply to this message since this email was sent from a notification-only address that is not monitored. To ensure you receive future US-CERT products, please add US-CERT at ncas.us-cert.gov to your address book.
OTHER RESOURCES:
Contact Us http://www.us-cert.gov/contact-us/ | Security Publications http://www.us-cert.gov/security-publications | Alerts and Tips http://www.us-cert.gov/ncas | Related Resources http://www.us-cert.gov/related-resources
STAY CONNECTED:
[Sign up for email updates] http://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/new
SUBSCRIBER SERVICES:
Manage Preferences http://public.govdelivery.com/accounts/USDHSUSCERT/subscribers/new?preferences=true | Unsubscribe https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/one_click_unsubscribe?verification=5.b03cc84c90ac58ffb6e970add416fb2d&destination=w3hwn%40arrl.net | Help https://subscriberhelp.govdelivery.com/
---------------------------------------------
This email was sent to w3hwn at arrl.net using GovDelivery Communications Cloud on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (888) 282-0870 [GovDelivery logo] https://insights.govdelivery.com/Communications/Subscriber_Help_Center
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amrad.org/pipermail/tacos/attachments/20170626/e4d2dae7/attachment-0001.html>
More information about the Tacos
mailing list